The NotPetya Global Pandemic – CyberArk Labs Analysis

In May 2017, WannaCry took advantage of an exploit in the Windows operating system to usher in a cyber security pandemic – ransomware that can spread its infection like a traditional worm. The results were catastrophic, with some damage estimates reaching up to more than $4 billion.

Yesterday, a new malware dubbed NotPetya emerged as the driving force behind another devastating global incident – one that will likely surpass WannaCry in terms of damage caused. While there are still unknowns in terms of who unleashed the malware and the root motivations, CyberArk Labs has downloaded multiple samples of the malware for analysis.

Here’s what we know thus far about the malware and its progress from infection to global ransomware pandemic.

Infection Point – Ukraine

On June 27th, a massive ransomware attack was initiated in coordinated fashion in a large number of Ukraine Government offices and large enterprises.

This first wave was initiated by attackers that were already on the targeted networks. These attackers were on the network for some time and used this reconnaissance time to plan and coordinate the attack for maximum effectiveness.

The attackers allegedly found a vulnerability in software that is widely used in Ukrainian government facilities. Based on initial analysis by CyberArk Labs, in this initial wave, NotPetya appeared to be sparing endpoints that use a US English-only keyboard. This seemingly self-imposed restriction has been seen in nation state attacks.

The initial attack was incredibly well-timed and organized – the majority of the targeted systems crashed within the first hour of attack launch.

Once NotPetya gained this foothold inside organizations, it spread using the same incredibly effective method as WannaCry – using the “eternalblue” SMB vulnerability in Microsoft systems. CyberArk Labs also confirmed that NotPetya has a built-in Mimikatz module, designed to steal credentials and facilitate lateral movement across an organization, infecting additional machines.

The credential theft element is important – because this means that even organizations that patched the “eternalblue” SMB vulnerability in Microsoft systems are still vulnerable.

Forming the Global Pandemic

While the initial attack targeted Ukrainian government offices and businesses, subsequent waves of the attack appeared to hit Russia and took off globally.

After the initial infection, the malware spread through traditional means – phishing emails. Random targets across the globe were sent targeted phishing emails that executed the ransomware after recipients clicked on the attached files or links.

Because the ransomware was introduced into networks via phishing – as noted above, even organizations that patched the eternalblue vulnerability were exposed. This ransomware was not stoppable at the perimeter.

Once a recipient clicked on the malicious email, a binary file was dropped onto the targeted machine that checked the endpoint for local administrative rights.

If there were no admin rights on the device to exploit, the ransomware simply died at that point.

If the ransomware was able to steal admin rights, it modified the Master Boot Record (MBR) and installed a new boot partition. The Mimikatz module then kicked in to steal additional credentials to facilitate lateral movement.

This is a critical aspect of the ransomware spread, as NotPetya sought additional machines to infect inside organizations. If the organization failed to patch the enteralblue vulnerability, the ransomware propagated via that vector.

This was the best and fastest way for NotPetya to spread, because it enables the ransomware to be executed in system privileges in the next machine, without the need for credential theft.

While still considered a best practice, patching is NOT enough to stop NotPetya. If a system was patched, the ransomware used the credentials stolen by the Mimikatz module to find vulnerable machines and use the credentials with built-in PSexec.

Countdown to Chaos

Once the ransomware spread to machines across an organization, it was designed to wait a random amount of time (10 – 60 minutes) before rebooting the machine.

This triggered the slim boot loader, encrypting the Master Boot Loader instead of documents and applications. This is why the malware was so damaging – it prevented users from rebooting their machines.

The result was organizational chaos – disrupting major businesses in Ukraine, India, US, Russia and more.

Protecting Your Organization

As with previous ransomware outbreaks, a combination of least privilege and application control policies on endpoints and servers can mitigate the risk of malware like NotPetya spreading from its initial infection point.

When tested in the CyberArk Lab, the combination of least privilege and application greylisting controls proved 100 percent effective in preventing NotPetya from executing.

CyberArk strongly urges every organization to take these immediate steps:

Backup Important Data – Immediately: This should be table-stakes best practices, but every organization should start by making sure all critical data is backed up.

Follow the Least Privilege Principle:Always configure access controls including file, directory and network sharing permissions with the least privilege principle in mind. Most users do not need admin privileges to do their required jobs on their corporate endpoint devices, so user access should remain at the minimal level that will allow normal functioning.

Note: This does NOT make you immune to NotPetya and ransomware – but it effectively stops the ransomware from spreading and carrying our malicious tasks. Endpoints can be replaced – organizational shut down can stop business.

Apply Application Control: Controlling which executables have access to your files can also contribute to defensive efforts. For example, if you put the PowerPoint executable in a whitelist as the only executable that has write access to your presentation files, then if a ransomware’s executable tries to encrypt and overwrite the files, it will be denied (as it is not on the “approved” whitelist). It’s important to also establish policies based on trusts that will protect these “trusted” or whitelisted applications.

Disable SMB v1 and Apply Patches: Organizations that failed to patch earlier were open targets to NotPeyta. Not patching is inexcusable at this point. Organizations should immediately disable the outdated Microsoft SMB protocol version 1 or simply apply the patch MS17-010 that Microsoft released a few months ago.

Block Internet Access: The Microsoft SMB protocol is meant to be internal, so your network should not be open to SMB packets from the internet. Implementing port filtering to block all versions of SMB at the network boundary is also an important preventative measure.

CyberArk Labs continues to seek new variants of this ransomware and will share the results of additional testing and analysis.